AI_LOGBOOK://til/terraform-state-management

Home / TIL / terraform-state-management

Terraform State Management Best Practices

Jan 18, 2026
~5 min read
Infra #terraform #iac #aws #state #devops

Terraform State Management Best Practices

The state file is Terraform’s single point of failure. Protect it.

Remote Backend Setup (S3 + DynamoDB)

terraform {
  backend "s3" {
    bucket         = "my-terraform-state"
    key            = "prod/infrastructure.tfstate"
    region         = "eu-central-1"
    encrypt        = true
    dynamodb_table = "terraform-locks"
  }
}

DynamoDB Lock Table

resource "aws_dynamodb_table" "terraform_locks" {
  name         = "terraform-locks"
  billing_mode = "PAY_PER_REQUEST"
  hash_key     = "LockID"

  attribute {
    name = "LockID"
    type = "S"
  }
}

Workspace Strategy

terraform workspace new prod
terraform workspace new staging
terraform workspace select prod
locals {
  env = terraform.workspace
}

resource "aws_instance" "web" {
  instance_type = var.instance_types[local.env]
  tags = {
    Environment = local.env
  }
}

State File Security Checklist

  • Remote backend enabled
  • Encryption at rest
  • State locking enabled
  • Versioning on S3 bucket
  • Restricted IAM access
  • No secrets in state (use SSM/Vault)
PREVIOUS POST Docker Multi-Stage Builds for Production NEXT POST FastAPI Background Tasks and Celery Integration